According to Forrester Research, the number of US households purchasing on the Internet (a.k.a. the Net) was 10 million in 1998. IDC estimated that this constituted sales of $14.9 billion. Forecasts for 1999 were 13 million households purchasing $31 billion of goods on the Net. These figures were made available in the xe2x80x9cState of the Internet: USIC""s Report on Use and Threats in 1999xe2x80x9d (http://www.usic.org/currentsite/usic_state_of_net99.htm).
Currently credit card purchases are the primary means of consumer electronic commerce on the Internet. As the popularity of the Net rises for electronic commerce so does credit card fraud.
Criminals use various methods to illegally acquire consumers"" credit-card numbers. In December 1999 the online music retailer CDUniverse was hacked and thousands of its customers"" credit-card numbers were published on the Net. Other web sites that were compromised include the wireless phone retailer Promobility.com and the electronic commerce portal Salesgate.com. (source: Forbes, May 22, 2000)
Another form of Net commerce fraud is via fake web sites that clone legitimate web sites. The fraudulent, i.e. dummy web site assumes the identity of the valid web site. An example of a credit-card fraud that used a cloned web site on the Net, is the e-mail billing scam. In September 1999 the web site of Value Net Internetwork Services was cloned. The perpetrator sent e-mails to dozens of consumers requesting that they visit the site to verify their credit-card information. Embedded in the e-mail was a link to a phony site (source: Forbes, May 22, 2000). Thus consumers unwittingly gave away their credit card numbers and other pertinent information (e.g. billing address) to thieves.
Protection against credit fraud has been legislated by the US Federal government in that the consumer is only liable for $50 of the fraudulent purchases. The rest of the cost is borne by the credit card company.
Outside of the Internet, credit-card transactions are primarily done via Mail Order/Telephone Ordering (MOTO). This obviously excludes xe2x80x9cface-to-facexe2x80x9d transactions executed in the merchant""s place of business. MOTO works whereby the customer calls the merchant, orders products and gives a credit-card number to the merchant over the phone. The merchant then contacts credit-card transaction authorizer to process the transaction. All that is checked in this customer-not-present (CNP) transaction is Address Verification Service (AVS). Other credit-card fraud prevention measures such as anti-tamper proof tape, holograms, etc. are obviously of no use in a CNP transaction. MOTO AVS simply compares a portion of the billing address that the customer gives the merchant on request with the records held by the card issuer. The limitations of AVS include the following:
AVS only works for billing addresses in the USA and the Internet is a global consumer network.
Thieves can supply a valid billing address, but then request a different shipping address.
Banks and credit-card issuers (e.g. American Express, MasterCard, Visa) are trying to solve this problem by encouraging the adoption of a new system called Secure Electronic Transaction SET (U.S. Pat. No. 5,790,677). On Aug. 4, 1998 the ""677 patent was granted to Fox et. al. and assigned to Microsoft Corporation. It is a good invention that uses digital certificates to validate all parties involved in the electronic transaction and encrypts credit card information and other financial data prior to transmission on a network.
To date, SET has not been adopted to any critical mass either by merchants or customers. A list of merchants that have adopted the SET protocol can be seen on the Net via links from the SET organization""s web site, e.g. for Visa SET merchants at http://www.visa.com/nt/ecomm/shopping/set_merchants.html and MasterCard SET merchants at http://www.mastercard.com/shoponline/set/bycountry.html. As can be seen from these merchant lists, most of the SET registered merchants are based in Europe and currently the total number is less than 1000. No indication is given as to how many customers use SET, although given the age tested economic principles of supply and demand, the fact that the number of merchants using SET is relatively low, it is a fair indication that too few consumers use SET. On these listed web sites it can be seen that very few US merchants are SET enabled. Today the US merchants on the Internet prefer to use Secure Sockets Layer (SSL). SSL only guarantees that data is safely (i.e. encrypted) transmitted between the customer and the merchant. It does not guarantee that the data will be electronically stored and handled safely by the merchant. Furthermore financial information that the merchant does not need to see is visible. An example of information that the merchant does not need to see is the customer""s credit card number. Practically all that the merchant needs to be concerned with is that he will be paid for the merchandise that he is selling to the customer and the customer""s shipping address. This visibility of financial information could lead to abuse. SSL does not deal with validating the identities of the various transaction parties.
Currently the US leads the world with the number of customers accessing the Net. The US has over 100 million PC users accessing the Internet, Western Europe has fewer than 100 million users and Asia-Pacific has fever than 50 million users (source: Business Week, May 29, 2000: Special Report xe2x80x9cWireless in Cyberspacexe2x80x9d).
There are other online commerce payment schemes, but to date one of these methods have achieved critical mass in usage by consumers. One example of an alternate online payment method is micro-cash, a.k.a. micropayments, and a.k.a. cybercash. U.S. Pat. No. 6,061,665 issued to Bahreman on May 9, 2000 and U.S. Pat. No. 5,815,657 issued to Williams, et al. on Sep. 29, 1998 are two examples of many of this technology. A number of problems are encountered with this method including the fact that currently very few merchants have adopted this payment method.
Both the SET and cybercash methods of online payment overlook the acceptance and trust of customers and merchants to use new and sophisticated technology. This invention proposes a method and means that builds on existing technology and payment methodologies that customers and merchants are comfortable with.
Another method has been proposed to secure CNP credit-card transactions by using personal identification numbers (PINs). An article in Inter@active Week trade journal on May 1, 2000, titled xe2x80x9cThe Answer To Credit-Card Security?xe2x80x9d discusses this proposal. The proposed method is similar to the use of a PIN in an automated teller machine (ATM) transaction. As the Inter@active Week article states, the problem with this proposal is that Visa and MasterCard have not shown an interest in this proposal. One other problem is that some customers keep their ATM PIN together with their ATM card. Hence if the customer""s wallet is stolen, then the thief has xe2x80x9cfreexe2x80x9d access to the customer""s bank account. A similar problem faces the online PIN proposal.
The invention proposes to emulate the Mail Order/Telephone Ordering (MOTO) process electronically. MOTO consists of the following steps:
1. Purchasexe2x80x94Customer purchases a service or product with a credit card from a merchant.
2. Authorizationxe2x80x94Customer""s credit card transaction is authorized.
3. Routingxe2x80x94The transaction is routed to the merchant""s bank (i.e. acquiring bank).
4. Processingxe2x80x94The merchant""s bank processes the transaction using an electronic processing network to notify the customer""s credit card company (i.e. issuer).
5. Postingxe2x80x94The customer""s credit card company posts the transaction to the customer""s account and then pays the merchant""s bank (i.e. acquiring bank).
6. Paymentxe2x80x94The merchant""s acquiring bank credits the merchant""s bank account.
The step that the invention focuses on is the Authorization step. In a customer-not-present (CNP) transaction, the customer is asked for a billing address, which is then used to verify the customer via an Address Verification Service (AVS). The current invention always verifies that the customer is who he says he is. This is done electronically and described in the Detailed Description of the Preferred Embodiment. Furthermore, the invention verifies the merchant as well. The preferred embodiment""s merchant verification method is similar to the method used by SET, but with the option of using the electronic AVS method proposed in this invention. Other commerce parties could as easily be verified using the proposed AVS of the invention.
A general note regarding the implementation of the electronic commerce described in this invention: all electronic steps are implemented by means of software resident on both the originator""s equipment, e.g. the customer premise equipment, as well as on the recipient""s equipment, e.g. the merchant""s web server.